+------------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | February 15th, 2008 Volume 9, Number 7 | | | | Editorial Team: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxx> | | Benjamin D. Thomas <bthomas@xxxxxxxxxxxxxxxxx> | +------------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for nagios, sdl-image, wml, tk, iceweasel, icedove, xulrunner, phpbb2, libexif, kernel, mandriva-kde, rpmdrake, Qt4, netpbm, gd, libcdio, python, firefox, imageop, nss_ldap, rsync, e2fsprogs, and tetex. --- 15-Month NSA Certified Masters in Info Assurance Now you can earn your Master of Science in Information Assurance (MSIA) in 15 months. Norwich University has recently launched a 30-credit, 15-month program, alongside the standard 36-credit, 18-month program. To find out if you are eligible for the 15-month MSIA program, please visit: http://www.msia.norwich.edu/linsec --- >> Linux+DVD Magazine << Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc. In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 --- Meet the Anti-Nmap: PSAD ------------------------ Having a great defense involves proper detection and recognition of an attack. In our security world we have great IDS tools to properly recognize when we are being attacked as well as firewalls to prevent such attacks from happening. However, certain attacks are not blindly thrown at you - a good attacker knows that a certain amount of reconnaissance and knowledge about your defenses greatly increases the chances of a successful attack. How would you know if someone is scanning your defenses? Is there any way to properly respond to such scans? http://www.linuxsecurity.com/content/view/134248 --- Open Source Tool of February: Nmap! ----------------------------------- This February, the team at Linuxsecurity.com has chosen NMAP as the Open Source Security Tool of the Month! In January, we chose GnuPG in part because it had just celebrated its 10th anniversary. Well, it wasn't alone. As of this past December Nmap ("Network Mapper"), the free and open source utility for network exploration and auditing, celebrated its 10th Anniversary as well! And because of its popularity, chances are very good that you've already used NMAP for quite some time. Even if you have, it's always good to take a look at how it all got started and what it's all about... http://www.linuxsecurity.com/content/view/133931 --> Take advantage of the LinuxSecurity.com Quick Reference Card! <-- --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <-- -------------------------------------------------------------------------- * EnGarde Secure Community v3.0.18 Now Available! (Dec 4) ------------------------------------------------------- Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features. In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more. http://www.linuxsecurity.com/content/view/131851 -------------------------------------------------------------------------- * Debian: New linux-2.6 packages fix privilege escalation (Feb 13) ---------------------------------------------------------------- The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges http://www.linuxsecurity.com/content/view/134524 * Debian: New mplayer packages fix arbitrary code execution (Feb 12) ------------------------------------------------------------------ Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/134250 * Debian: New nagios-plugins packages fix several (Feb 12) -------------------------------------------------------- A buffer overflow has been discovered in the parser for HTTP Location headers (present in the check_http module). http://www.linuxsecurity.com/content/view/134249 * Debian: New linux-2.6 packages fix privilege escalation (Feb 11) ---------------------------------------------------------------- The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600). http://www.linuxsecurity.com/content/view/134233 * Debian: New sdl-image1.2 packages fix arbitrary code execution (Feb 10) ----------------------------------------------------------------------- Gynvael Coldwind discovered a buffer overflow in GIF image parsing, which could result in denial of service and potentially the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134232 * Debian: New wml packages fix denial of service (Feb 10) ------------------------------------------------------- Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files. http://www.linuxsecurity.com/content/view/134231 * Debian: New tk8.4 packages fix arbitrary code execution (Feb 10) ---------------------------------------------------------------- It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134230 * Debian: New tk8.3 packages fix arbitrary code execution (Feb 10) ---------------------------------------------------------------- It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134229 * Debian: New iceweasel packages fix several vulnerabilities (Feb 10) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134228 * Debian: New icedove packages fix several vulnerabilities (Feb 10) ----------------------------------------------------------------- Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134227 * Debian: New xulrunner packages fix several vulnerabilities (Feb 10) ------------------------------------------------------------------- Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul Nickerson discovered crashes in the layout engine, which might allow the execution of arbitrary code. http://www.linuxsecurity.com/content/view/134226 * Debian: New phpbb2 packages fix several vulnerabilities (Feb 8) --------------------------------------------------------------- Several remote vulnerabilities have been discovered in phpBB, a web based bulletin board.Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page. http://www.linuxsecurity.com/content/view/134225 * Debian: New libexif packages fix several vulnerabilities (Feb 8) ---------------------------------------------------------------- Several vulnerabilities have been discovered in the EXIF parsing code of the libexif library, which can lead to denial of service or the xecution of arbitrary code if a user is tricked into opening a malformed image. http://www.linuxsecurity.com/content/view/134220 -------------------------------------------------------------------------- * Fedora 7 Update: kernel-2.6.23.15-80.fc7 (Feb 11) ------------------------------------------------- Update to Linux kernel 2.6.23.15: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.15 Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600: Extra fix from upstream applied. Fix memory leak in netlabel code (#352281) Autoload the Dell dcdbas driver like in F8 (#326041) Work around broken Seagate LBA48 disks. (F8#429364) Fix futex oops on uniprocessor machine. (F8#429412) Add support for new Macbook touchpads. (F8#426574) Fix the initio driver broken in 2.6.23. (F8#390531) Fix segfaults from using vdso=2. (F8#427641) FireWire updates, fixing multiple problems. ACPI: fix multiple problems with brightness controls (F8#427518) Wireless driver updates from upstream. http://www.linuxsecurity.com/content/view/134234 * Fedora 8 Update: kernel-2.6.23.15-137.fc8 (Feb 11) -------------------------------------------------- Update to Linux kernel 2.6.23.15: Fix vmsplice local root vulnerability: CVE-2008-0009: Fixed by update to 2.6.23.15. CVE-2008-0010: Fixed by update to 2.6.23.15. CVE-2008-0600: Extra fix from upstream applied. Fix memory leak in netlabel code. Work around broken Seagate LBA48 disks. (#429364) Fix futex oops on uniprocessor machine. (#429412) Add support for new Macbook touchpads. (#426574) Fix the initio driver broken in 2.6.23. (#390531) Fix segfaults from using vdso=2. (#427641) FireWire updates, fixing multiple problems. (#429598) ACPI: fix multiple problems with brightness controls (#427518) Fix Megahertz PCMCIA Ethernet adapter (#233255) Fix oops in netfilter. (#430663) ACPI: fix early init of EC (#426480) ALSA: fix audio on some systems with STAC codec (#431360) Atheros L2 fast Ethernet driver (atl2) for ASUS Eeepc. ASUS Eeepc ACPI hotkey driver. Wireless driver updates from upstream. http://www.linuxsecurity.com/content/view/134235 * Fedora 7 Update: tk-8.4.13-7.fc7 (Feb 7) ---------------------------------------- Fixed security issue - buffer overflow in gif parsing. http://www.linuxsecurity.com/content/view/134096 * Fedora 8 Update: dovecot 1.0.10-4.fc8 (Feb 7) --------------------------------------------- New upstream release, fixing a very minor security issue. http://www.linuxsecurity.com/content/view/134058 -------------------------------------------------------------------------- * Mandriva: Updated mandriva-kde-config packages fix loss of (Feb 13) ------------------------------------------------------------------- The KDE panel has a clock applet which includes de hability to change its appearance and behavior. Because of a configuration problem, this applet was not properly saving these changes were not properly saved, being lost at every user login. This update fixes the problem. http://www.linuxsecurity.com/content/view/134527 * Mandriva: Updated desktop-common-data package fixes menus, (Feb 13) ------------------------------------------------------------------- In Mandriva Linux 2008.0 some utilities were not correctly displayed in Tools menu (such as Yakuake), and settings:// was not working properly in KDE konqueror. This update fixes the problems. http://www.linuxsecurity.com/content/view/134526 * Mandriva: Updated kernel packages fix multiple (Feb 12) ------------------------------------------------------- The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third party information. http://www.linuxsecurity.com/content/view/134237 * Mandriva: Updated kernel packages fix multiple (Feb 12) ------------------------------------------------------- A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges. Mandriva urges all users to upgrade to these new kernels immediately as this flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected. http://www.linuxsecurity.com/content/view/134236 * Mandriva: Updated rpmdrake packages fix various bugs (Feb 8) ------------------------------------------------------------ This drakxtools update package fixes issues with the hardrake tool to make sure that USB keys are not auto-configured by the service at boot (#34568), and adds back the Run Config tool button in the harddrake interface (#34794). http://www.linuxsecurity.com/content/view/134224 * Mandriva: Updated rpmdrake packages fix various bugs (Feb 8) ------------------------------------------------------------ This update fixes a crash when reading packages with an empty backport media (#36720). This is a rare bug since DVD media did not include backport media, and network media provides a non-empty backport media. It also makes sure that a wait dialog always got destroyed (#36921). http://www.linuxsecurity.com/content/view/134222 * Mandriva: Updated Qt4 packages fix vulnerability in (Feb 8) ----------------------------------------------------------- A potential vulnerability was discovered in Qt4 version 4.3.0 through 4.3.2 which may cause a certificate verification in SSL connections not to be performed. As a result, code that uses QSslSocket could be tricked into thinking that the certificate was verified correctly when it actually failed in one or more criteria. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134217 * Mandriva: Updated tk packages fix buffer overflow (Feb 7) --------------------------------------------------------- The ReadImage() function in Tk did not check codeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134215 * Mandriva: Updated SDL_image packages fix vulnerabilities (Feb 7) ---------------------------------------------------------------- The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134214 * Mandriva: Updated netpbm packages fix buffer overflow (Feb 7) ------------------------------------------------------------- A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134212 * Mandriva: Updated gd packages fix buffer overflow (Feb 7) --------------------------------------------------------- Buffer overflow in the LWZReadByte() function in gd_gif_in.c in GD prior to 2.0.34 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array. This was originally fixed in PHP's embedded GD with MDKSA-2006:162; patches had not been applied to the system libgd at that time. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134213 * Mandriva: Updated libcdio packages fix DoS vulnerability (Feb 7) ---------------------------------------------------------------- A stack-based buffer overflow was discovered in libcdio that allowed context-dependent attackers to cause a denial of service (core dump) and possibly execute arbitrary code via a disk or image file that contains a long joliet file name. In addition, a fix for failed UTF-8 conversions that would cause a segfault on certain ISOs was also fixed. The updated packages have been patched to correct this issue. http://www.linuxsecurity.com/content/view/134211 -------------------------------------------------------------------------- * Slackware: kernel exploit fix (Feb 12) ---------------------------------------- New kernel packages are available for Slackware 12.0, and -current to fix a local root exploit. More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0010 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0600 http://www.linuxsecurity.com/content/view/134251 -------------------------------------------------------------------------- * Ubuntu: Linux kernel vulnerabilities (Feb 13) ---------------------------------------------- The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) http://www.linuxsecurity.com/content/view/134529 * Ubuntu: Linux kernel vulnerability (Feb 12) -------------------------------------------- Wojciech Purczynski discovered that the vmsplice system call did not properly perform verification of user-memory pointers. A local attacker could exploit this to overwrite arbitrary kernel memory and gain root privileges. (CVE-2008-0600) http://www.linuxsecurity.com/content/view/134247 * Ubuntu: Firefox vulnerabilities (Feb 7) ---------------------------------------- Various flaws were discovered in the browser and JavaScript engine. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2008-0412, CVE-2008-0413) http://www.linuxsecurity.com/content/view/134216 -------------------------------------------------------------------------- * Foresight: python (Feb 12) -------------------------- Previous versions of the python package contain an integer overflow in the imageop module which could cause a denial-of-service (crash) or possibly leak sensitive information. http://www.linuxsecurity.com/content/view/134246 * Foresight: firefox (Feb 12) --------------------------- Multiple vulnerabilities have been fixed in firefox, the most serious of which is thought to allow unauthorized remote execution of abitrary code at the permission level of the user running firefox. http://www.linuxsecurity.com/content/view/134245 * Foresight: imageop (Feb 12) --------------------------- Previous versions of the python package contain an integer overflow in the imageop module which could cause a denial-of-service (crash) or possibly leak sensitive information. http://www.linuxsecurity.com/content/view/134244 * Foresight: nss_ldap (Feb 12) ---------------------------- Previous versions of nss_ldap contain a race condition that can allow nss_ldap to return the wrong information, allowing for the possibility of improper information disclosure. http://www.linuxsecurity.com/content/view/134243 * Foresight: rsync (Feb 12) ------------------------- Previous versions of the rsync package contain vulnerabilities in the rsync server, potentially allowing users to bypass security restrictions. Foresight Linux does not, by default, configure the rsync server to run. http://www.linuxsecurity.com/content/view/134242 * Foresight: e2fsprogs (Feb 12) ----------------------------- Previous versions of the e2fsprogs package are vulnerable to multiple integer overflows which may be exploited via specially-crafted filesystems. The workaround for is to not run fsck on a filesystem to which an untrusted user has the ability to directly modify filesystem metadata. This is most commonly an issue when using a virtualization solution in which the root user for the guest OS is not trusted, and can convince the host's root user to run fsck on the guests's filesystem. Foresight Linux neither enables nor supports any form of virtualization in the default install. http://www.linuxsecurity.com/content/view/134241 * Foresight: tetex (Feb 12) ------------------------- Previous versions of the tetex package are vulnerable to multiple issues, the worst of which is believed to allow arbitrary code execution via user-assisted vectors when dvips or dviljk are run of specially-crafted files, or when loading malformed font data using t1lib. http://www.linuxsecurity.com/content/view/134240 * Foresight: gd (Feb 12) ---------------------- Previous versions of the gd package are vulnerable to a possible Arbitrary Code Execution attack in which an attacker may use a maliciously crafted GIF file to trigger a buffer overflow. The libgd library is not exposed via any privileged or remote interfaces within Foresight Linux proper. http://www.linuxsecurity.com/content/view/134239 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------